Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution

This presentation provides an overview of industrial control systems and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the risks.

3.
Cyber Security? ● Measures used to protect assets against computer threats. ● Covers both intentional and unintentional attacks. ● Malware or network traffic overloads can affect a control system. ● Accidental miss configuration or well intentioned but unauthorized control system changes. ● Direct attacks by internal or external threats. ● Increasing the security of the assets also increases the integrity of the production system.Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 3

4.
What is a Security Incident?● Customer site issue – attack or misuse● Vulnerability disclosure – internal or external ● Becoming aware of an issue in our products or systems that could allow an attacker to modify the behavior, obtain information that should not be available, or impact the availability.● US Government Agency Computer Emergency Readiness Team ● ICS-CERT disclosures up from 38 (2010) to 136 (2011) ●500 predicted in 2013 ● Schneider Electric product disclosures up from 2 (2010) to 11 (2011) ● 4 in Jan 2012 alone (3 in Industry)Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 4

6.
Why Now?● The rapidly changing world of technology makes computer systems more vulnerable to a cyber attack. ● Increase in attacks on general IT systems and directed attacks on companies result in an increase in threats to control systems. ● Open systems have proven to be desirable and effective but expose a control system to greater risks.● Government and companies are responding with cyber security standards for control systems.● Awareness that control systems contain valuable business data and are also vulnerable has increased the focus on cyber security. ● Dedicated attacks are increasing for industrial companies. ● Researcher focus on control systems is increasing awareness and providing tools. Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 6

7.
What is the Trend? What language are you speaking on Ethernet?Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 7

8.
Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 8

12.
What is a Cyber Security Vulnerability?● A weakness within a product or a system that could allow the system to be attacked.● Security researchers are exposing product vulnerabilities ● Profit, publicity ● To force improvements by vendors● Vulnerabilities are very common ● Microsoft fixes 10-50 each month ● Over 500 vulnerabilities predicted in industrial control systems in 2013 Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 12

14.
Vendor’s Responsibility to a Vulnerability● Provide fixes and patches to vulnerabilities● Keep customers informed of latest fixes● Recommend mitigations to limit the risks or remove vulnerability ● Use industrial firewalls when needed ● Securing your ConneXium switches● Analyze vulnerabilities to understand their impact on a customer’s system ● A PLC command vulnerability on FTP is only an issue for a system if FTP access is allowed from people that will send that command Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 14

15.
Customer’s Responsibility to a Vulnerability● A sound security plan and employee training● Stay informed on vulnerabilities applicable to their system● Analyze risk involved with every vulnerability and understand impact on application● Apply mitigations to limit the risks or remove vulnerability ● Use industrial firewalls when needed ● Securing ConneXium switches ● Applying vendor fixes and patches Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 15

16.
How are Vulnerabilities Tracked?● Vulnerabilities are tracked by US-CERT and other National CERT bodies ● Customers should watch these databases for issues with products they use● Many vulnerabilities reported on blogs and online magazines● Schneider Electric updates US-CERT for fixes and recommends mitigations for our products● Schneider Electric Cyber Security Web Site ● Lists all product vulnerabilities ● Lists mitigation actions and patches Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 16

18.
Security is a Risk Evaluation● Customers and vendors should both handle security based on risk ● Evaluate the risks, take actions on the risks above a defined level ● Both systems and products can and should be evaluated for risk ● Risks on a product can be mitigated by another component of the system● Risk = Threat x Vulnerability x Consequence ● Threat - a person or event with the potential to cause a loss ● Vulnerability - a weakness that can be exploited by an adversary or an accident ● Consequence - the amount of loss or damage that can be expected from a successful attack● Mitigation - something that is done to reduce the risk ● Normally reducing the vulnerability or raising the skills needed to exploit itSchneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 18

19.
Exercise – Discuss in your group:●Has your management asked about cyber security?●Are you doing anything right now for cyber security?●How are you and your team trained in security?●Do you have an automation and operation policy?●Are you willing to change behavior for a more secure system?Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 19

28.
“Defence in Depth” Step #3: Perimeter Protection ConneXium Firewall● Firewall - a device for filtering packets based on source/destination IP address and protocol.● Ingress and Egress filtering ● Source IP addresses should be very few● Rule placement ● Firewalls should be configured with a default Deny All rule ● Rules that address the expected traffic● Permit Rules should have specific IP addresses and TCP/UDP port numbers● Only pre-defined traffic should be allowed from the IT network to control networkSchneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 28

29.
“Defence in Depth” Step #3: Perimeter Protection Industrial Firewall Configuration● The National Institute of Standards and Technology (NIST) has provided the following guidelines: ● The base rule set should be “deny all, permit none.” ● Ports and services enabled on a specific case-by-case basis. ● Risk analysis and a responsible person identified for every permit rule. ● All “permit” rules should be both IP address and TCP/UDP port specific. ● All rules should restrict traffic to a specific IP address or range of addresses. ● Traffic should be prevented from transiting directly from the control network to the corporate network. All traffic should terminate in a DMZ. ● All outbound traffic from the control network to the corporate network should be source and destination-restricted by service and port. ● Control network devices should not be allowed to access the Internet even if protected via a firewall.Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 29

30.
“Defence in Depth” Step #3: Perimeter Protection Remote Access / Virtual Private Network● Description ● Used to provide secure communications across non-trusted networks ● Provides security through encryption and authentication, restricting access and protects the data as it moves. ● Client VPN (telecommuter for example), or Site-to-Site● Basics ● An extended protection of network or allow client access across internet ● Two flavors IPsec and SSL/TLS ● Can utilize RADIUS - uses several different types of authentication; examples are username and password, digital signatures, and hardware tokens ● Can also use LDAP in making access decisionsSchneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 30

32.
“Defence in Depth” Step #4: Network Segmentation and Zones ConneXium Switches● Switches ● Limit traffic flow to prevent data gathering ● Implement VLANs to allow the logical and physical architectures to be different (less hardware cost but more complex setup and maintenance)● Segmenting the network is… ● Good network design but also assists with security ● Allows the creation of concentration points to move from one zone to another, allowing a single place for security checks ● Limits the impact of a security breach● Weakness ● Can be bypassed by flooding the switches ● Can cause difficulty when trying to connect and loginSchneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 32

35.
Password Management● Fundamental tools of device hardening ● Passwords that can easily and quickly be implemented but are too often neglected in the control system network. ● Policies and procedures on password management are often lacking or missing entirely.● Password Management Guidelines ● Change all default passwords immediately after installation : ●PC / SCADA / HMI user and application accounts ●Network control equipment ●Devices with user accounts ● Grant passwords only to people who need access. Prohibit password sharing. ● Do not display passwords during password entry ● Passwords should contain at least 8 characters and should combine upper and lowercase letters, digits, and special characters such as !, $, #, % ● Require users and applications to change passwords on a scheduled interval. ● Remove employee access account when employment has terminated. ● Require use of different passwords for different accounts, systems, and applications.● Password implementation must never interfere with the ability of an operator to respond to a situation (e.g. emergency shut-down)● Passwords should not be transmitted electronically over the unsecure Internet, such as via e-mail.Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 35

36.
PC Hardening● Restrict physical access to administrators or similar authorized personnel. ● Locate physical machines outside of operator access areas● Restrict network access using a DMZ if possible.● Disable or remove unused programs and services.● Hardening of servers, particularly user account management and patching, should be a continuous process improvement. All file systems should be NTFS.● Harden the PC server and its operating system via strong and unique user and administrative account passwords.● Use enterprise grade operating systems, such as Windows 2008R2 Standard Server, maximizing the benefits of DEP (Data Execution Prevention) and UAC (User Account Controls) provided by these operating systems.● Patch operating system to current required levels on a documented, monitored schedule.● Implement Microsoft Windows authentication, perhaps centrally using Active Directory if possible.Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 36

37.
Anti-Virus● Description ● Monitoring of the system and blocking / removal of programs matching a known virus● Basics ● Anti Virus is a blacklisting technology – defines what is not allowed. ● Based on signatures of known bad items (software, files etc.)● Weakness ● Processor intensive since the system must be scanned against the known signature list. ● Most system contain < 1/3 of the virus signatures that are known. ● Anti Virus vendors distribute signatures based on active viruses and location in the world.Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 37

38.
Switch Hardening● SNMP ● Deactivate SNMP V1 & V2 and use SNMP v3 whenever possible ● Change default passwords / community strings ● If SNMP V1/V2 is needed use access settings to limit the devices (IP Addresses) that can access the switch. Assign different read, read/write passwords to devices.● Telnet/Web Access (HTTPS) ● Both active in default state and allow full switch configuration ● Deactivate the telnet server if not using the command line interface to configure switch ● Change the default read and read/write passwords for the telnet and Web servers ● After configuration and operational verification disable the web server for highly secure systems ●Note: Disabling both the telnet server and the web server will result in only being able to access the switch via the V.24 port.● Ethernet Switch Configurator Software Protection ● The Ethernet Switch Configurator Software protocol allows users to assign an IP address, net mask and default gateway IP to a switch. ● Once configuration is complete disable the Ethernet Switch Configurator Software Protocol frame or limit the access to read-only.● Ethernet Switch Port Access ● A malicious user who has physical access to an unsecured port on a network switch could plug into the network behind the firewall to defeat its incoming filtering protection. ● Ethernet switches maintain a table called the Content Address Memory (CAM) that maps individual MAC addresses on the network to the physical ports on the switch. ● A MAC flooding attack fills the CAM table and the switch becomes a hub allowing capture of data.● Ethernet Switch Port Risk Mitigation ● Disable unused ports ● Lock specific MAC addresses to specific ports on the Ethernet switch. ● Lock specific IP addresses to specific ports on the Ethernet switchSchneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 38

40.
PLC Hardening - Access Control Lists● Description ● Limits Modbus access using a list of permitted IP addresses ● Only protection available today on the PLC for Modbus Protocol (external protection is better)● Basics ● Similar to a firewall but only applicable for Port 502● Weakness ● Easy to bypass with IP address spoofing or “man in the middle” attackSchneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 40

41.
Citect Hardening● Run Citect with non-administrative privileges only.● Do not install developer tools on a running production Vijeo Citect server. ● These tools should be installed only on dedicated workstations● Provide operator access to the server via Vijeo Citect Web Clients. ● Use Web clients instead of internet display clients● Limit who can see specific information by configuring roles within Vijeo Citect.● Prevent web and e-mail access on systems directly on or accessing the Vijeo Citect system. It is recommended that web and e-mail access be highly restricted, if not disabled entirely for any system in the control room.Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012 41